NIST 800-53 REV 5 • SYSTEM AND INFORMATION INTEGRITY

SI-3(4)Updates Only by Privileged Users

Update malicious code protection mechanisms only when directed by a privileged user.

CMMC Practice Mapping

No direct CMMC mapping

NIST 800-171 Mapping

No direct NIST 800-171 mapping

Related Controls

Supplemental Guidance

Protection mechanisms for malicious code are typically categorized as security-related software and, as such, are only updated by organizational personnel with appropriate access privileges.

Practitioner Notes

Only privileged users (administrators) should be able to update malicious code protection software and definitions.

Example 1: Configure antimalware updates to come only from your central management server (WSUS, SCCM, ePO). Disable the ability for end users to manually trigger or control definition updates. Updates happen silently in the background via enterprise management.

Example 2: Use role-based access in your antimalware management console to restrict who can approve and push definition updates. Only your security team and IT administrators have the permissions to modify update policies.

More System and Information Integrity Controls

SI-1 Policy and Procedures SI-2 Flaw Remediation SI-2(1) Central Management SI-2(2) Automated Flaw Remediation Status